blob: 874498d19aeffa652a314d0cc51fedc1c7c30afb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "cloud_print/service/win/local_security_policy.h"
#include <atlsecurity.h>
#include <ntsecapi.h>
#include <windows.h>
#include "base/logging.h"
#include "base/strings/string_util.h"
const wchar_t kSeServiceLogonRight[] = L"SeServiceLogonRight";
#ifndef STATUS_SUCCESS
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#endif
namespace {
template<class T>
class ScopedLsaMemory {
public:
ScopedLsaMemory() : lsa_memory_(NULL) {
}
~ScopedLsaMemory() {
Close();
}
void Close() {
if (lsa_memory_) {
LsaFreeMemory(lsa_memory_);
lsa_memory_ = NULL;
}
}
T* Get() const {
return lsa_memory_;
}
T** Receive() {
Close();
return &lsa_memory_;
}
private:
T* lsa_memory_;
DISALLOW_COPY_AND_ASSIGN(ScopedLsaMemory);
};
} // namespace
LocalSecurityPolicy::LocalSecurityPolicy() : policy_(NULL) {
}
LocalSecurityPolicy::~LocalSecurityPolicy() {
Close();
}
void LocalSecurityPolicy::Close() {
if (policy_) {
LsaClose(policy_);
policy_ = NULL;
}
}
bool LocalSecurityPolicy::Open() {
DCHECK(!policy_);
Close();
LSA_OBJECT_ATTRIBUTES attributes = {0};
return STATUS_SUCCESS ==
::LsaOpenPolicy(NULL, &attributes,
POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES,
&policy_);
}
bool LocalSecurityPolicy::IsPrivilegeSet(
const base::string16& username,
const base::string16& privilage) const {
DCHECK(policy_);
ATL::CSid user_sid;
if (!user_sid.LoadAccount(username.c_str())) {
LOG(ERROR) << "Unable to load Sid for" << username;
return false;
}
ScopedLsaMemory<LSA_UNICODE_STRING> rights;
ULONG count = 0;
NTSTATUS status = ::LsaEnumerateAccountRights(
policy_, const_cast<SID*>(user_sid.GetPSID()), rights.Receive(), &count);
if (STATUS_SUCCESS != status || !rights.Get())
return false;
for (size_t i = 0; i < count; ++i) {
if (privilage == rights.Get()[i].Buffer)
return true;
}
return false;
}
bool LocalSecurityPolicy::SetPrivilege(const base::string16& username,
const base::string16& privilage) {
DCHECK(policy_);
ATL::CSid user_sid;
if (!user_sid.LoadAccount(username.c_str())) {
LOG(ERROR) << "Unable to load Sid for" << username;
return false;
}
LSA_UNICODE_STRING privilege_string;
base::string16 privilage_copy(privilage);
privilege_string.Buffer = &privilage_copy[0];
privilege_string.Length = wcslen(privilege_string.Buffer) *
sizeof(privilege_string.Buffer[0]);
privilege_string.MaximumLength = privilege_string.Length +
sizeof(privilege_string.Buffer[0]);
return STATUS_SUCCESS ==
::LsaAddAccountRights(policy_, const_cast<SID*>(user_sid.GetPSID()),
&privilege_string, 1);
}
|
